PS-07 External Personnel Security

Baselines

Guidance

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

References 2

• SP 800-35 Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
• SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.

Related controls 12

• AT-02 Literacy Training and Awareness L M H P
• AT-03 Role-based Training L M H P
• MA-05 Maintenance Personnel L M H P
• PE-03 Physical Access Control L M H P
• PS-02 Position Risk Designation L M H P
• PS-03 Personnel Screening L M H P
• PS-04 Personnel Termination L M H P
• PS-05 Personnel Transfer L M H P
• PS-06 Access Agreements L M H P
• SA-05 System Documentation L M H P
• SA-09 External System Services L M H P
• SA-21 Developer Screening L M H P